It’s worth noting that Selbie left a local NHS Trust to run Public Health
England, a national job with a bigger salary. It could be considered a
promotion. It’s a bold claim that Lawrence appears to be making here, and
not one necessarily backed up by any evidence. I’m also not sure that the
Trust’s initial belligerence was extraordinary - the BPAS chief executive
said they would appeal but it didn’t happen and they paid up. Sony pursued
an appeal for several months, and both Central London Community Healthcare
and Scottish Borders Council went through with it, and in Borders’ case,
they were successful. Given the flawed reasoning in some of the ICO’s
earlier CMP decisions (up to and including Borders), I think it’s
extraordinary that there were not more appeals. I am certain that some
would have been successful. I’d be quite happy for the Chief Executive to
take on the ICO if I was a DPO and the case was good, and would equally
relish telling them it was a bad idea if it was.
Some people will not welcome the raised profile and additional
responsibilities that being a DPO will involve. It will be a hard job that
won’t suit everyone. However, having spoken to many DP officers over the
past year, most of them actively want or expect to be the DPO once the GDPR
comes into force. I can foresee the potential for conflict between a local
DP or IG specialist, and an external contractor brought in above them whose
advice is given more sway. Imagine, friends, someone like me swanning into
your offices as the DPO-for-hire and giving advice you don’t agree with.
The DPO must be consulted in a timely manner on all issues that relate to
the processing of personal data, which means the local DP or IG bod
becoming the sidekick for the outsider. I would have been seething if, when
I was a DP officer, an external contractor was consulted as well as, and
perhaps instead of me.
It’s also worth scrutinising the number of people who, having had a career
in sales or IT security (or in some cases, no apparent experience of
anything), are magically reinventing themselves as GDPR experts and touting
for business. These folk will surely move into the DPO on Demand market,
and any organisation dipping a toe into these waters will need to do some
thorough research and due diligence.
I personally have little interest in being an external DPO but the idea of
going back to being a DP Officer with the autonomy envisaged by the GDPR is
tempting. Some DPOs may not get the independence that the GDPR demands, and
some organisations will contract it out or force the DPO to work without
the recognition they deserve. But frankly, the DPO role is one of the most
interesting developments in the GDPR, and if you are a DP or IG person in a
relevant sector, you should grab the opportunity with both hands.
--
Tim Turner
On 23 January 2017 at 18:15:26, Lawrence Serewicz (
[log in to unmask]) wrote:
Dear All,
In all organisations, things take time to change. Usually, organisations
take a measured approach to change and succession planning as the Chief
Executive (CX) signals when they plan to depart so that the transition can
be smooth.
On some occasions, events overtake an organisation. Usually, we can see
when an organisation is ill prepared for a departure when they have to
appoint an interim CX. The longer the interim period, the more chaotic or
abrupt is the departure since the HR service has to organise a search for a
replacement, usually with an outside agency, and vet those candidates.
All of this brings us to Brighton and Sussex University Hospital (BSUH).
You may recall they achieved the very dubious distinction of having the
largest monetary penalty notice imposed on a public sector organisation by
the ICO. The ICO imposed an initial MPN of £325k. This was announced in
January 2012.
http://localgovernmentlawyer.co.uk/index.php?option=com_content&;view=article&id=9004%3Anhs-trust-faces-massive-ico-monetary-penalty-after-hard-drives-sold-on-ebay&catid=174%3Ahealthcare&Itemid=99
The January announcement was bad publicity. However, BSUH did something
extraordinary. They decided to fight the MPN both privately and publicly.
In much the same way that Haringey initially fought the bad publicity
around the death of Peter Donnelly they though the best defence was a good
offence. Only one person is ultimately responsible for such a strategy—the
CX. They may do it because advisors recommend it but they are the ones who
are ultimately responsible.
In April 2012, The CX Duncan Selbie announced he was leaving.
http://www.theargus.co.uk/news/9634864.Brighton_hospital_chief_stepping_down/
Here is how he responded **publicly** to the ICO on 1 June 2012.
Chief Executive Duncan Selbie said: *“We dispute the Information
Commissioner’s findings, especially that we were reckless,* a requirement
for any fine. We arranged for an experienced NHS IT service provider to
safely dispose of our redundant hard drives and acted swiftly to recover,
without exception, those that their sub-contractor placed on eBay. No
sensitive data has therefore entered the public domain.”
Selbie pointed out that it had voluntarily reported “all of this” to the
ICO, and *claimed that he had been told by the watchdog in the summer of
2011 that this was not a case worthy of a fine*.
BSUH’s chief executive *added that the ICO had ignored its extensive
representations*.
“It is a matter of frank surprise that we still do not know why they have
imposed such an extraordinary fine despite repeated attempts to find
out, *including
a freedom of information request which they interestingly refused on the
basis that it would ‘prejudice the monetary penalty process’,” he said.*
Selbie added: “In a time of austerity, we have to ensure more than ever
that we deliver the best and safest care to our patients with the money
that we have available. *We simply cannot afford to pay a £325,000 fine and
are therefore appealing to the Information Tribunal.” [Emphasis added]*
I would suggest what I highlighted reflected the view of senior managers.
Would you want to the DPO in this organisation, before, during, or after
the event? Imagine if you had signed off on the process whereby the disk
drives were disposed? Do you think you would face any scrutiny? In
particular, as you are now a publicly identifiable individual, your contact
details are available to the public, how will you handle media questions?
Have you had media training?
On 9 July *interim CX* Chris Adcock announced BSUH was not contesting the
MPN and paid the discounted amount of £260k.
http://localgovernmentlawyer.co.uk/index.php?option=com_content&view=article&id=10912%3Anhs-trust-ends-appeal-over-record-ico-fine-and-pays-up&catid=174%3Ahealthcare&Itemid=99
You will note his conciliatory statement.
Adcock added: “There is, however, *nothing more odious than one public body
having a public argument with another at the taxpayer’s expense*. We are
not prepared to incur further costs and are therefore paying the ICO
£260,000.” [emphasis added]
Mr Adcock is acting after Mr Selbie had left. He would remain the interim
CX for 10 months. We see that the BSUH has changed its tune as it has
changed CX. It may have suggested that Mr Selbie’s approach, fighting the
ICO, was not considered to be in the organisation’s best interest, in
particular as the organisation changed course soon after he left.
I will leave it readers to decide if the security incident contributed to
Mr Selbie’s departure.
I would ask list members to reflect on whether they want to be a DPO since
the fines in the future can be up to 20 Million Euros. I would suggest you
need to consider how an organisation reacted to what was, in effect, a
£260k MPN. Do list members think the work they have done as data protection
officers has prepared them adequately for this new role? Does the
organisation think that it will have an adequate approach to the DPO if it
changes the dpo to the DPO?
Best,
Lawrence
Lawrence Serewicz
Information and Records Manager
Transformation and Partnerships
Durham County Council
County Hall
Room 143-148 4th Floor
Durham
County Durham
DH1 5UF
Direct 03000 268 038
Switchboard 03000 26 0000
www.durham.gov.uk
Follow us on Twitter @durhamcouncil
Like us at facebook.com/durhamcouncil
Follow us on linkedin.com/company/durham-county-council
*From:* Tim Turner [mailto:[log in to unmask]]
*Sent:* 20 January 2017 07:47
*To:* Lawrence Serewicz <[log in to unmask]>;
[log in to unmask]
*Subject:* Re: [data-protection] With fines of up to £20million Euros are
DPOs ready for that kind of pressure
That's really interesting - which Chief Executive stepped down after an MPN
was issued?
Tim Turner
On Thu, Jan 19, 2017 at 10:56 PM, Lawrence Serewicz <
[log in to unmask]> wrote:
Dear All,
At the moment, the UK has a DP regime where the max monetary penalty notice
is £500k. Since the MPN was introduced, organisations have reacted in
different ways. We have seen some organisation fight the MPN to the final
stage, incurring legal costs. We have seen CEOs step down after the MPNs
were received.
What has occurred is that the MPNs have focused the minds. In that sense,
it has made it important for the organisations to get it right. All along,
the humble DP officer has been on the side lines saying “Mind the DPA or
the MPN will get you.” With that advice, the organisation operates as it
needs to without the DP officer being responsible for either the advice or
the organisation. In the end, the organisation can take the advice or
operate as they want.
The DPO is a different creature. They will now be responsible for giving
clear guidance to the organisation for it to comply with the GDPR. If they
get that guidance wrong, if they say “You need to do x, y and z” but it
turns out that z was not the correct interpretation of the GDPR, then they
will be in for some scrutiny. To be sure, the Data Controller is
responsible not the DPO. The GDPR makes this clear. However, if the DPO has
said that is ok I am certain that organisations will want to ask some
questions.
Much will depend on how the organisation sees the DPO and the way their
contract is written. The contract will reflect how they are seen to work
with the normal GDPR compliance work within the organisation. No matter
what, the DPO will be under more scrutiny than the Data Protection
officers.
Best,
Lawrence
Lawrence Serewicz
Information and Records Manager
Transformation and Partnerships
Durham County Council
County Hall
Room 143-148 4th Floor
Durham
County Durham
DH1 5UF
Direct 03000 268 038
Switchboard 03000 26 0000
www.durham.gov.uk
Follow us on Twitter @durhamcouncil
Like us at facebook.com/durhamcouncil
Follow us on linkedin.com/company/durham-county-council
------------------------------
------------------------------
------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
